Tuesday, September 21, 2010

IDS, we can look at it another look

Today in the frequent intrusion, the best way to prevent the integrated use of firewall, IDS and IPS.

Traditional stateful firewall as the first line of defense to prevent attacks on the network layer, but can not prevent worms and other application-layer attacks (these attacks take advantage of the open ports 80 and 443, etc.). Intrusion detection systems use sensors, passive sensors installed in the network, used to monitor network traffic, looking for any signs of malicious access. Sensors to detect attacks targeting the application layer, but can not prevent these attacks, when the network receives an IDS alarm information and take appropriate measures, often too late.

IDS trouble

IDS will bring a large number of false alarms. Some users believe that, IDS alarm information often been made, the results are mostly false positives, and alarm information is not logical to deal with IDS alarm message is a headache problem, users often take 20 hours to investigate the analysis of two hour alarm information. Some network administrators have complained that, "Every day I spend a lot of time to look at IDS records, eating lunch, side view, even holidays, no exception, those IDS records every day I just became a must-see Little Red Book . "

The defective IDS, Gartner recommends that users use the IPS (intrusion prevention system) instead of the traditional IDS. ISS, NetScreen, NAI, TippingPoint, StillSecure, and Top Layer IPS equipment companies can provide. And simple monitoring and alarm of the difference is that IDS, IPS can only stay on the line to prevent attacks. Entercept (now a part of NAI's) and Okena (now a part of Cisco's) companies such as host-based IPS software can be directly deployed on application server, intercepting system calls to monitor changes to critical system files, file permissions allow signs of change, and other attacks.

IDS really as Gartner put it died a natural death yet? IPS IDS can always replace it? Most analysts and IDS vendors, and even IPS vendors do not think so. At least so far, we believe that IDS in security audit and later follow-ups still can not be replaced. In fact, IDS and IPS use the same detection technology, will be testing both the accuracy of the trouble. IPS judge for fear of error may affect the normal network services, most users will IPS to IDS (used only for monitoring) mode access to the corporate network.

IPS IDS together

IDS and IPS vendors in the automation of configuration and intelligence analysis, more attempts are being made. For example, TippingPoint's UnityOne can be configured in minutes. Including Cisco, Symantec and ISS, including the IDS system vendors can also provide audit function to remove irrelevant warning information.

Compared with IDS products, IPS equipment is expensive. IPS to protect the external, DMZ area and one or two key aspects of subnet useful, but in a large 400-subnet network, the user may not have the economic strength of the deployment of IPS for all the subnets.

In fact, IPS and IDS can be used in conjunction with their respective merits. IPS to prevent worms in the application layer attacks for the same time, reduce the number of alarms generated within the IDS, allowing users to monitor the safe use of the IDS subnet and improve enterprise security strategy. For example, a user using the Top Layer's Attack Mitigator IPS to protect the gateway and data centers, by opening the process to make sure that each filter will not block any legitimate business processes. Attack Mitigator IPS is deployed outside the firewall to block DoS attacks, while the users within the network to monitor the use of IDS is no need to spend too much time to view the IDS records. Similarly, another user on the network perimeter using the TippingPoint UnityOne IPS devices and the network within the extensive use of behavior-based detection of StealthWatch IDS Snort IDS to replace the original equipment. Blocking effect of the IPS, IDS alerts to reduce the number by 99%, before the user needs to record all the time to view the IDS, but now they do not do so.


In addition to IPS, the other designed to protect the DMZ Web server and application technology is the Web application firewall, such products is to prevent unauthorized use of Web applications, especially firewall and IPS to prevent being left out of the Web application theft attacks. In addition, host-based intrusion prevention software can also key to the server internal Web applications and provides additional protection. Check Point and NetScreen firewall products, increase in the detection of deep, deep testing and rely on hardware features of the IPS, and Web application firewall is different, Check Point and NetScreen firewall is software-based applications to achieve.

Faced with the current security challenges, most analysts and vendors agree that: layers of defenses, the firewall, IPS and IDS respective advantages, is currently the best means of protecting corporate networks.
Hope this article will allow readers to re-recognize IDS, with the use of the common between them to prevent network intrusions.

Recommended links:

CSS Generated Special Effects

P2P affected 90% of operator revenue flow erosion

Produced with the VB toolbox floating upper normal place of residence

Using VMware, vowed to computer "cloned A technique"

Youtube h264

Articles About Reference Tools

Thief 3 Of Original Experiences

Premier Screen Savers

3G the first number up to the "special" USER

Operator within 30 seconds to bring a surprise

Expert Vehicles - Screen Savers

PICKED Audio Speech

A large number of international giants fight back to the Chinese. CN domain names

iphone video format

psp windows media PLAYER

Ps3 Mts

Note: Some People In The Ping You?

No comments:

Post a Comment